Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 - PDF document

Lecture 8 Public Key Cryptography (Diffie-Hellman and RSA) 1 Public Key Cryptography • Asymmetric cryptography • Invented in 1974-1978 (Diffie-Hellman and Rivest-Shamir- Adleman) • Two keys: private (SK), public (PK) – Encryption: with public key; – Decryption: with private key – Digital Signatures: Signing by private key; Verification by public key. i.e., “encrypt” message digest/hash -- h ( m ) -- with private key • Authorship (authentication) • Integrity: Similar to MAC • Non-repudiation: can’t do with secret key cryptography • Much slower than conventional cryptography • Often used together with conventional cryptography, e.g., to encrypt session keys 2 1

Public Key Cryptography Bob’s public key Bob’s private PK B key SK B encryption plaintext ciphertext decryption plaintext algorithm message, m algorithm message PK (m) B m = SK ( PK (m) ) B B 3 Key Pre-distribution: Diffie-Hellman “New Directions in Cryptography” 1976 - System wide parameters : - p large prime, - * a generator in Z p = v Alice's secret: v, public: y a mod p a = w Bob's secret: w, public: y a mod p b = w Alice has: y a mod p b = v Bob has: y a mod p a = v K ( y ) mod p ab b = = w K ( y ) mod p 4 ba a 2

Public Key Pre-distribution: Diffie-Hellman Alice computes Bob computes K ab K ab = K ba Secure communication with K ab Eve knows: p, a, y a and y b 5 Public Key Pre-distribution: Diffie-Hellman - Diffie Hellman Problem: - - * p large prime, a generator in Z p Given : = = v w y a mod p and y a mod p a b vw FIND a : mod p Discrete Log Problem: Given : = v y a mod p a FIND v : 6 3

Public Key Pre-distribution: Diffie-Hellman Decision DH Problem: - - p large prime, a generator Given : = = y a v mod p y , a w mod p a b Distinguish : = vw K a mod p ab from a random number! • DH Assumption: DH problem is HARD (not P) • DL Assumption: DL problem is HARD (not P) • DDH Assumption: solving DDH problem is HARD (not P) 7 Interactive (Public) Key Exchange: Diffie-Hellman Choose random v = v y a mod p a = w y a mod p Choose b Compute random w, = v K ( y ) mod p Compute ab b = w K ( y ) mod p Secure communication ba a with K ab Eve is passive … 8 4

The Man-in-the-Middle (MitM) Attack (assume Eve is an active adversary!) Choose random v = v y a mod p a Choose = w y a mod p random w, b Compute Compute = K ( y ) mod v p = w K ( y ) mod p ab b ba a Secure communication with Kab 9 RSA (1976-8) Let n = pq where p , q - large primes e , d Î R Z n and ed º 1 mod F ( n ) where : F (n) = (p - 1)(q - 1) = pq - p - q - 1 Secrets : p , q , d Publics : n , e Encryption : message = m < n E ( x ) = y = m e mod n Decryption : ciphertext = y D ( y ) = x ' = y d mod n 10 5

Why does it all work? x Î Z n * x ed = x 1mod F (n) mod n = x c * F (n) + 1 mod n = x But, recall that: g F (n) = 1 mod n (Lagrange) 11 How does it all work? Example: p=5 q=7 n=35 (p-1)(q-1)=24=3*2 3 pick e=11, d=11 x=2, E(x)=2048 mod 35 =18=y y=18, D(y)=6.426841007923e+13 mod 35 = 2 Example: p=17 q=13 n=221 (p-1)(q-1)=192=3 4 *2 pick e=5, d=77 Can we pick 16? 9? 27? 185? x=5, E(x)=3125 mod 221 = 31 D(y)=31 77 = 6.83676142775442000196395599558e+114 mod 221 = 5 12 6

Why is it Secure? Conjecture: breaking RSA is polynomially equivalent to factoring n Recall that n is very, very large! Why: n has unique factors p, q Given p and q, computing (p-1)(q-1) is easy: º F ed 1 mod ( n ) Use extended Euclidian! 13 Exponentiation Costs • Integer multiplication -- O(b 2 ) where b is bit-size of the base • Modular reduction -- O(b 2 ) • Thus, modular multiplication -- O(b 2 ) • Modular exponentiation (as in RSA) -- m e mod n • Naïve method: e-1 modular products -- O(b 2 *e) • BUT what if e is large, (almost) as large as n? • Let L= |e| (e.g., l=1024 for 1024-bit RSA exponent) • We can assume b and l are very close, almost the same • Square-and-multiply method works in O(b 3 ) time … O(b 2 *2l) 14 7

Square-and-Multiply e goal : compute m mod n - - - - - - - - - - - - From left to right in e = l sizeof ( n ); = temp 1 ; = - >= - - for ( i l 1 ; i 0 ; i ) •Example 1: e=100 = { temp* temp ; •Example 2: e=10000000 = temp % n ; •Example 3: e=11111111 if ( e[i] ) = { temp * m ; = temp% n; } } 15 Speeding up RSA Decryption Let : C - RSA ciphertext = - d d mod( p 1) p = - d d mod( q 1) q compute: = d - M C mod p = 1 M [ M q ( q mod p ) p p p d = + - M C mod q 1 M p ( p mod q )] mod( pq ) q q q and solve: = M M mod p p = M M mod q q 16 8

More on RSA • Modulus n is unique per user  – 2 or more parties cannot share the same n • What happens if Alice and Bob share the same modulus? – Alice has (e’,d’,n) and Bob – (e”,d”,n) – Alice wants to compute d” (Bob’s private key) – She knows that: e’ * d’= 1 mod phi(n) – So: e’ * d’ = k * phi(n) + 1 and: e’ * d’ - 1 = k * phi(n) – Alice just needs to compute inverse of e” mod X • where X = e’ * d’ – 1 = k * phi(n) • let’s call this inverse d’” • and remember that: d”’ * e” = k’ * k * phi(n) + 1 • can we be sure that: d”’ = d” ? – Is it possible that e” has no inverse mod X? • Yes, if e”=phi(n) or gcd(e”,k)>1 but this is very, very UNLIKELY! – For all decryption purposes, d”’ is EQUIVALENT to d” – Suppose Eve encrypted for Bob: C = (m) e” mod n – Alice computes: 17 C d”’ mod n = m e”d”’ mod n = (m) k’ * k * phi(n) + 1 mod n = m Lecture 9 Public Key Cryptography: Encryption + Signatures 18 9

El Gamal PK Cryptosystem (`83) - p large prime - b base, primitive element, generator - x private exponent - º x y public residue ; y b mod p = * P Z p = * ´ * C Z Z p p publics : p , b , y secrets : x Encryption : Î 1 . generate random r Z - p 1 = r 2 . compute : k b mod p = r = xr 3 . compute : c my mod p mb mod p = 4 . ciphertext {k, c} Decryption : x 1 . compute k mod p - x 1 2 . compute ( k ) mod p = - = - = x 1 rx xr 3 . m' ( k ) c b mb mod p m 19 El Gamal (Example) p = 13 b = 2 x = 9 y = 29mod13 = 5 Encryption: m = 11 r = 10 k = 210mod13 = 10 c = 11*510mod13 = 2 ciphertext = {10,2} Decryption: 109mod13 = 12 12 - 1mod13 = 12 20 2*12 = 24 º 11mod13 10

Digital Signatures • Integrity • Authentication • Non-Repudiation • Time-Stamping • Causality • Authorization If you like your current health insurance plan, you can keep it! 21 Digital Signatures A signature scheme: Usually message hash (P,A,K,Sign,Verify) P - plaintext (msgs) A - signatures K - keys Sign - signing function: ( P*K)->A Verify - verification function: (P*A*K)  {0,1} 22 11

RSA Signature Scheme Use the fact that, in RSA, encryption reverses “decryption” =  Let n pq where p q are two (large) primes Î = - º * 1 e Z and e d mod Φ(n) and ed 1 mod Φ(n) F ( n ) F = - - (n) (p 1)(q 1) Secrets : p , q , d Publics : n , e = Signing : message m = d Sign ( m ) : y m mod n = Verificati on : signature y = e Verify ( y , m ) : ( m y ) ??? 23 RSA Signature Scheme (contd) • The Good: • Verification can be cheap (like RSA encryption) • Mechanically same as RSA decryption function • Security based on RSA encryption • Signing is harder but #verify-s > 1 … • Deterministic • The Bad: • Recall that RSA is malleable: signatures can be “massaged” • Phony “random” signatures compute Y=RSA(e,X)=X e mod n • • X is a signature of Y because Y d =X mod n • The Ugly: • Signing requires integrity! • How to sign multiple blocks? • Deterministic – needs additional randomization! 24 12